oski | hxxps://samples[.]vx-underground[.]org/Samples/Families/Oski/fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916[.]7z

Analysis

max time kernel
122s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/Families/Oski/fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.7z

Score

10^/10

oski evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

oski

eesss.online

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe

Executes dropped EXE 2 IoCs

pid	Process
4988	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
1856	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4988	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
1856	fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2764	4988	WerFault.exe	116
3992	1856	WerFault.exe	127

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585361175461607"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3688	7zFM.exe
952	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
396	chrome.exe
396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
3688	7zFM.exe
3688	7zFM.exe
3688	7zFM.exe
3688	7zFM.exe
3688	7zFM.exe
396	chrome.exe
3688	7zFM.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4284	396	chrome.exe	85
PID 396 wrote to memory of 4284	396	chrome.exe	85
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 3496	396	chrome.exe	86
PID 396 wrote to memory of 672	396	chrome.exe	87
PID 396 wrote to memory of 672	396	chrome.exe	87
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88
PID 396 wrote to memory of 1520	396	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://samples.vx-underground.org/Samples/Families/Oski/fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.7z
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d5c4ab58,0x7ff9d5c4ab68,0x7ff9d5c4ab78
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1852,i,6529825318839858869,3508169909308888734,131072 /prefetch:8
  2⤵
  PID:2612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4272

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3688
- C:\Users\Admin\AppData\Local\Temp\7zO86E16808\fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO86E16808\fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1328
    3⤵
    - Program crash
    PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4988 -ip 4988
1⤵
PID:400

C:\Users\Admin\Desktop\fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe
"C:\Users\Admin\Desktop\fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1348
  2⤵
  - Program crash
  PID:3992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1856 -ip 1856
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
116c08afde29b426054b6fecb63333da

SHA1
5ca02911d6d3ddcc599f4ea5ac6009ec39c10419

SHA256
fefe5e9c6e9dbcbd1d92eda32e393b685e9699b96eb4c330b6f265dc4ee1212d

SHA512
38af47ed8fcb387ebc9b3e87d46f1d1ba727689799368fb74302675529760c087d88ff1f6622c70d5985eb5057fa667390a0e748619d24eee748a2eae5f721e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f40cdc04dd6d375da4c48f33c5605c7f

SHA1
239bbf622ca7b8c2de640e58084c990186a9eca1

SHA256
833111544002d86fa54552dcf3d4399b27f81f011bbd21b14190d7ca4b1c35bb

SHA512
a357d56ad739ca716eac5d8f1051b66b8c3b4e43560cd9faba281629ef9da82a64435639bc69df435c7dc7f371cd809e9e7170dbd52b1927b00061158bd79454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
eca56174fb1d7c4861f084e87c5dcee3

SHA1
665824b670299f68639090d4415e90ca5c53995a

SHA256
0cfd33ad92eb937f6c59cd58341b9ad83e9d7062866c3e263f8c0b88581e3d97

SHA512
ff78d9daffa5705d6ca078fad25b7f7db26b71debc66eb385661ae533776e4dea0a7b868baa9f8af91650131e93154a49978fc14dbc385a23fb1c0875fd47967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
250KB

MD5
3844b99f3fc131797d72173db4dc980a

SHA1
88408d261d44a099c026c7b07a8b6eac7e7d9b37

SHA256
ab8c81a1e6995dcf291b7828d7b76082cc2cc067e4ee06bdab19ea3df6c375aa

SHA512
44e96a24e2ff75f6d77662111318a600b77e026800dec3a0f892752d4832b72f3c781606cf5f48d88e594a53ad21bcaa198625bda38629990beb38d7ad37504c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
769524b55c255298a59d48c9814e9d37

SHA1
988940aaef430013763fb73ce8b70d8e871c905c

SHA256
9569a75fec3495e9f568c0548392fecc6c2196851cf0aa30dd7eee8f067fb638

SHA512
b0956d38580b17d48434939909968efac3ea2d25b02e226ce868d13deeecb408e314357efad0bfe51256c4b1c568a101291d78e20ec40f254d33f78b77146e41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ec25.TMP

Filesize
94KB

MD5
6183f80fa88aba434339eb2e993310e8

SHA1
b264934b06b447f2d13aeca26136cb0a90f611c4

SHA256
fb44fbbc7791dffc3d05f520bcc9e45888a81842faa3518b40b2586d5224caae

SHA512
7b40acca61c2cd22c0b6f82325b39025e6c473b2e09eb48908106f0eb795f2d14698c9db5fbaf7ad75c9671ab9e4f513c4c33286e9d807ea72ec22ec895d7c24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
6368b6c8c183be557ff71e570a53673e

SHA1
e194e9203b686703e51a23e219ec9a06c25853de

SHA256
b6220ca00f80b9264849fb44c359f080915edfe362b3974bd3ab81d934994ed4

SHA512
a51425cef730e2ee1046c2583f876931b5d235f3fb897105bdb9db588ea683971ef412a0ddcefe2bdc13ca88cbb45acc083eef8431dc3fc53263aad711b7fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO86E16808\fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.exe

Filesize
2.5MB

MD5
89d6e77c93b0ae70972f87a0f8f136da

SHA1
22de1336f5e8414b7d566c29031f77abe26e04a0

SHA256
fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916

SHA512
ea1c75b467b89ba68a6b62304acfd054ad8000d46c49bba749652dea874943b91c1ee74e359ab0944ebc9cac0a73483cd1f8a7102e6a0c031c1260188eaf0c4a

Download Submit
C:\Users\Admin\Downloads\fdd060d4ee221701282ca13c743cc95965708d71a975691f04e300a99fd23916.7z.crdownload

Filesize
2.1MB

MD5
3734cda3f7794efd802ea679351b0b9a

SHA1
87072ea3db2335de1b2164f23110f8a99ff0137c

SHA256
f652216bd4976e6cf1a919e96da0b15c3f9cd7e3c3921d6c83bde33a794ca2d1

SHA512
385ab67122fb5d492c45c8dfe1ff23ceaf694a2033ae3092dee1e7744b4826306b4155214fbc98ac9a8de250a6f30acc386c92b5b15cab5312cc8f6be4352157

Download Submit
memory/952-203-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-202-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-201-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-207-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-205-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-206-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-204-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-194-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-193-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/952-192-0x0000017C60460000-0x0000017C60461000-memory.dmp

Filesize
4KB

Download
memory/1856-190-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/1856-211-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/1856-195-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/1856-196-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/1856-208-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/1856-198-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/4988-85-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/4988-187-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/4988-183-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/4988-182-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/4988-181-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/4988-180-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/4988-179-0x00000000775B4000-0x00000000775B6000-memory.dmp

Filesize
8KB

Download
memory/4988-177-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download